We covered the concept of network forensics and the use cases including network discovery, network troubleshooting, packet analysis and reconstruction, incident response and threat hunting. We demonstrated how to use Network Miner which is a popular tool in this domain to capture live traffic and analyze recorded traffic to extract insights about the hosts, ports, files and images exchanged, DNS queries, network anomalies,etc. This was part of TryHackMe Network Miner | SOC level 1 track.

Get Computer Forensics Notes Notes

The Complete Practical Web Application Penetration Testing Course

Challenge Description

Learn how to use NetworkMiner to analyse recorded traffic files and practice network forensics activities.

Video Highlights

Network Forensics is a specific subdomain of the Forensics domain, and it focuses on network traffic investigation. Network Forensics discipline covers the work done to access information transmitted by listening and investigating live and recorded traffic, gathering evidence/artefacts and understanding potential problems.

Briefly, it is the action of recording packets of network traffic and creating investigatable sources and establishing a root–cause analysis of an event. The ultimate goal is to provide sufficient information to detect malicious activities, security breaches, policy/regulation compliance, system health and user behaviour.

The investigation process identifies communicated hosts in terms of time, frequency, protocol, application and data.

The investigation tries to answer the 5W;

  • Who (Source IP and port)
  • What (Data/payload)
  • Where (Destination IP and port)
  • When (Time and data)
  • Why (How/What happened)

Note that the network evidence capture and investigation process should be systematic. Having enough data and the right timeline capture for a successful network forensics investigation is crucial.

Network Forensics Use Cases

The most common network forensics use cases are explained below;

  • Network discovery: Discovering the network to overview connected devices, rogue hosts and network load.
  • Packets reassembling: Reassembling the packets to investigate the traffic flow. This use case is helpful in unencrypted traffic flows.
  • Data leakage detection: Reviewing packet transfer rates for each host and destination address helps detect possible data leakage.
  • Anomaly and malicious activity detection: Reviewing overall network load by focusing on used ports, source and destination addresses, and data helps detect possible malicious activities along with vulnerabilities. This use case covers the correlation of indicators and hypotheses as well.
  • Policy/Regulation compliance control: Reviewing overall network behaviour helps detect policy/regulation compliance.

Advantages of Network Forensics 

General advantages of network forensics are explained below;

  • Availability of network-based evidence in the wild: Capturing network traffic is collecting evidence, so it is easier than other types of evidence collections such as logs and IOCs.
  • Ease of data/evidence collection without creating noise: Capturing and working with network traffic is easier than investigating unfiltered events by EDRs, EPPs and log systems. Usually, sniffing doesn’t create much noise, logs and alerts. The other thing is that network traffic is not destructible like logs and alerts generated by security systems.
  • It is hard to destroy the network evidence, as it is the transferred data: Since the evidence is the traffic itself, it is impossible to do anything without creating network noise. Still, it is possible to hide the artefacts by encrypting, tunnelling and manipulating the packets. So, the second fact is the challenge of this advantage.
  • Availability of log sources: Logs provide valuable information which helps to correlate the chain of events and support the investigation hypothesis. The majority of the EDRs, EPPs and network devices create logs by default. Having log files is easy if the attacker/threat/malware didn’t erase/destroy them.
  • It is possible to gather evidence for memory and non-residential malicious activities: The malware/threat might reside in the memory to avoid detection. However, the series of commands and connections live in the network. So it is possible to detect non-residential threats with network forensics tools and tactics.

Challenges of Network Forensics

General challenges of the network forensics are explained below;

  • Deciding what to do: One of the most difficult challenges of network forensics is “Deciding what to do”. There are several purposes of carving networks; SOC, IH/IR and Threat Hunting. Observing, trapping, catching, or stopping an anomalous activity is also possible.
  • Sufficient data/evidence collection on the network: One of the advantages of network forensics is “Ease of collecting evidence”. However, the breadth of this concept poses a challenge. There are multiple points to consider in data/evidence collection.
  • Short data capture: One of the challenges in data/evidence collection. Capturing all network activity is not applicable and operable. So, it is hard always to have the packet captures that covers pre, during and post-event.
  • The unavailability of full-packet capture on suspicious events: Continuously capturing, storing and processing full-packets costs time and resources. The inability to have full-packet captures for a long time creates time gaps between captures, resulting in missing a significant part of an event of interest. Sometimes NetFlow captures are used instead of full-packet captures to reduce the weight of having full-packet captures and increase the capture time. Note that full-packet captures provide full packet details and give the opportunity of event reconstruction, while NetFlow provides high-level summary but not data/payload details.
  • Encrypted traffic: Encrypted data is another challenge of network forensics. In most cases, discovering the contents of the encrypted data is not possible. However, the encrypted data still can provide valuable information for the hypothesis like source and destination address and used services.
  • GDPR and Privacy concerns in traffic recording: Capturing the traffic is the same as “recording everything on the wire”; therefore, this act should comply with GDPR and business-specific regulations (e.g. HIPAA, PCI DSS and FISMA ).
  • Nonstandard port usage: One of the popular approaches in network forensics investigations is grabbing the low-hanging fruits in the first investigation step. Looking for commonly used patterns (like known ports and services used in enumeration and exploitation) is known as grabbing the low-hanging fruits. However, sometimes attackers/threats use nonstandard ports and services to avoid detection and bypass security mechanisms. Therefore sometimes, this ends up as a challenge of network forensics.
  • Time zone issues: Using a common time zone is important for big-scale event investigation. Especially when working with multiple resources over different time zones, usage of different time zones create difficulties in event correlation.
  • Lack of logs: Network forensics is not limited to investigating the network traffic data. Network devices and event logs are crucial in event correlation and investigation hypotheses. This fact is known by the attackers/threats as well; therefore these logs are often erased by them, in order to make the investigation more difficult.

Sources of Network Forensics Evidence

Capturing proper network traffic requires knowledge and tools. Usually, there is a single chance of gathering the live traffic as evidence. There are multiple evidence resources to gather network forensics data.

  • TAPS
  • InLine Devices
  • SPAN Ports
  • Hubs
  • Switches
  • Routers
  • DHCP Servers
  • Name Servers
  • Authentication Servers
  • Firewalls
  • Web Proxies
  • Central Log Servers
  • Logs (IDS/IPS, Application, OS, Device)

Primary Purposes of Network Forensics

There are two primary purposes in Network Forensics investigations.

  • Security Operations (SOC): Daily security monitoring activities on system performance and health, user behaviour, and security issues.
  • Incident Handling/Response and Threat Hunting: During/Post-incident investigation activities on understanding the reason for the incident, detecting malicious and suspicious activity, and investigating the data flow content.

Investigated Data Types in Network Forensics

There are three main data types investigated in Network Forensics

  • Live Traffic
  • Traffic Captures (full packet captures and network flows)
  • Log Files

NetworkMiner is capable of processing and handling packet pictures and live traffic. Therefore, we will focus on live and captured traffic in this room. Both of these data sources are valuable for forensics investigations.

Room Answers

What is the total number of frames?

How many IP addresses use the same MAC address with host 145.253.2.203?

How many packets were sent from host 65.208.228.223?

What is the name of the webserver banner under host 65.208.228.223?

Use mx-4.pcap

What is the extracted username?

What is the extracted password?

What is the name of the Linux distro mentioned in the file associated with frame 63075?

What is the header of the page associated with frame 75942?

What is the source address of the image “ads.bmp.2E5F0FD9.bmp”?

What is the frame number of the possible TLS anomaly?

Use mx-9 file

Look at the messages. Which platform sent a password reset email?

What is the email address of Branson Matheson?

Which version can detect duplicate MAC addresses?

Which version can handle frames?

Which version can provide more details on packet details?

Use case1.pcap

What is the OS name of the host 131.151.37.122?

Investigate the hosts 131.151.37.122 and 131.151.32.91.
How many data bytes were received from host 131.151.32.91 to host 131.151.37.122 through port 1065?

Investigate the hosts 131.151.37.122 and 131.151.32.21.
How many data bytes were received from host 131.151.37.122 to host 131.151.32.21 through port 143?

What is the sequence number of frame 9?

What is the number of the detected “content types”?

Use case2.pcap
Investigate the files.

What is the USB product’s brand name?

What is the name of the phone model?

What is the source IP of the fish image?

What is the password of the “homer.pwned.se@gmx.com”?

What is the DNS Query of frame 62001?

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles